3.2 Mn Debit Cards Under Threat; What Are Banks Doing?

In one of the biggest security breaches in the Indian banking industry, at least 3 million bank debit cards have come under threat due to an alleged security breach after Yes Bank’s ATM raised fears of a potential fraud. According to media reports, the payment systems of Hitachi Payment Services were infested with malware that helped miscreants to steal personal information and do fraudulent transactions. This clearly indicates that banks’ online security is failing customers yet again. But what are banks doing about it?

A report in The Economic Times mentioned that cards issued by the State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank were the “worst affected”. According to sources cited in the report, the breach might have happened at Yes Bank as Hitachi manages the bank’s ATMs. The reason why other banks became vulnerable is because YES Bank ATMs see many third party transactions, says the report.

Why banks should be worried

What is worrisome is that the breach was effected in such a way that anyone using the bank’s ATMs in the region would risk having data compromised, a PTI report said citing bankers.

In light of the incident, several banks have said they will either replace or ask customer to change the security codes. The move comes a day after India’s largest lender State Bank of India said that it had blocked 6 lakh debit cards of certain customers in order to them new cards, in “precautionary” measures after being informed of potential risks to those cards.

“Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said in a statement.

“Customers of other banks are also likely to be affected by security breach which occurred in an ATM network. Anybody using the affected ATM is at risk,” said a banking source.

In another case of security breach, Axis Bank said it has filed a preliminary report about the malware attack to the Reserve Bank of India and hired EY to carry out an investigation.

The bank’s internal monitoring mechanism identified such a threat recently and all steps have been undertaken to neutralise the same, it said. “We stay committed to our customers and it has always been our endeavour to ensure that our customers’ interests are always protected. There has been no loss to our customers,” Axis Bank said.

Yes Bank on its part has “proactively undertaken a comprehensive audit of ATMs”. “There is no evidence of a breach or compromise on ATMs. We continue to work with relevant stakeholders, including other public sector and private banks, and NPCI, to ensure utmost safety and security of ATM network and payment services which are completely safe to use,” a bank spokesperson told the agency.

Hitachi too has denied that its systems have been compromised. “I do not think it is necessary for any bank to reissue cards,” Loney Antony, MD, Hitachi Payment Services, has been quoted as saying in the TOI report. [Read the full report here]

Nonetheless, in the wake of these incidents, all banks are asking customers to not only change their ATM PIN, but they are also blocking international transactions that can be conducted without PIN

What customers can do?

All the recently reported debit card data breaches have happened at the bank level. With online bank frauds on the rise, the RBI had recently proposed that a customer will not be liable to make the payment if the fraud or negligence is on part of the bank and the customer notifies the lender within three working days of receiving communication from the bank regarding unauthorised transaction by a third party.

However, Amit Jaju, executive director, fraud investigation and dispute services, EY argues, “There is nothing much a customer can do if the breach has happened at the bank level. “If there is more than one customer involved there is not much customers can do,”

If the customer’s own involvement is not clearly established, customer liability will be limited to a maximum of Rs 5,000 if he reports within 4 to 7 working days. A customer’s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer for fraud/ negligence on the part of the bank, the RBI said in its draft norms in August 2016.

Other private banks are conducting security review by experts of its ATM networks to pre-empt any type of breaches and things seem to be under control at present. However, going forwarrd, banks need to rethink their security policies.

A report by research firm Wakefield suggests that, nearly nine out of 10 users would discontinue using digital payments if they personally fell victim to cybercriminal activities as a result of a data breach. The top three reasons respondents said that they would discontinue use of digital payments were if money was stolen from a linked bank account, unauthorized charges appeared on a linked credit card account and if username and password was stolen.

While there were 697.2 million debit cards in India as of end-July, and going by the data the number of cards that got affected is just about half a percent of total cards issued in the country, it still puts the banks in India under high alert so that they increase focus on cyber security and their preparedness to handle cyber fraud.

While many believe CIO's role is evolving and that he's occupying a key place in the boardroom, a recent study brings to light that more than half of the CIO, CTO or IT admin staff (55%) are not thanked by colleagues for carrying out essential IT tasks on their behalf.